You can configure WebFOCUS BUE to authenticate users against your corporate Active Directory. The WebFOCUS BUE Client passes User sign in credentials to the WebFOCUS BUE Reporting Server, which in turn, validates them within an external source. WebFOCUS BUE can authenticate users against external Active Directory or LDAP directories. Users are externally authenticated whenever they access WebFOCUS BUE and when they access the Reporting Server Console.
The benefits of authenticating users to the Active Directory include:
To convert to external Active Directory or LDAP authentication, you must override the default setting of internal authentication in both the BUE Client and the Reporting Server, and establish a connection between the Reporting Server and LDAP provider that will support authentication activities.
Here is an overview of the configuration steps:
Since the default Manager account manager generally does not exist in the external source, it cannot be authenticated once external authentication has been successfully configured. The new Manager account that you create will exist in both WebFOCUS and in Active Directory so that you can use it for access to the BUE once you have restarted WebFOCUS in its new authentication configuration.
In the steps which follow, you will be required to provide credentials for two service accounts. The first is a BUE Reporting Server account, PTH\srvadmin, that is used by WebFOCUS BUE to delegate authentication to the Reporting Server. The password for this account is pre-configured during BUE installation to be the same as the password you supplied for the BUE Manager account.
The second is an Active Directory account of your choice that is used by the Reporting Server to authenticate users and retrieve their full description and email information, which in turn is passed back to the BUE to update the user account. This service account simply needs read access to Active Directory. Generally, any Active Directory account can be used for this purpose but you must make sure its password is set to never expire.
You do not need to enter a description or email address because this information will be automatically updated during sign in based on information retrieved by the BUE from Active Directory.
An icon for the new user appears under Users and under Users in Group, when you click the Managers group.
The Navigation pane displays an expandable LDAP folder.
In some cases, you can also enter the domain name of your organization, for example: ibi.com.
Most installations use the default port number, 389.
The section expands and displays the fields, ldap_principal, and ldap_credentials.
It is important that this account has a non-expiring password to avoid disruption to the BUE.
If you receive a message that the Discover LDAP server attributes failed, click OK, and then review and update the settings you entered up to this point.
If all settings are correct, the page refreshes and displays additional headings. Fields in the User Search section contain values populated directly from the Reporting Server.
If you receive a message that the connection or password failed, review and update your settings if necessary, and try again.
If the password succeeded, continue with the next step.
The Status of the LDAP entry changes to Primary, and the Status of the PTH<internal> Security provider entry changes to Secondary automatically.
The screen refreshes and displays the Change Effective Security Provider page.
When the confirmation dialog box opens, click OK.
The Reporting Server Console refreshes and displays the Applications tab.
The External page displays the settings currently assigned to the Reporting Server.
This is a Reporting Server administrator account that was installed automatically during the BUE installation.
The password was assigned during BUE installation, and is initially set to the same value that you entered for the manager account during installation.
Note: The placement of this ID and its associated Password in the Server Administrator ID field enables the Client to present them to the Reporting Server when sending User authentication requests.
When the confirmation dialog box opens, click OK.
If this installation of the BUE is based on the Windows operating system, stop and restart the WebFOCUS BUE 82 Application Server service in the Services Window.
If this installation of the BUE is based on the Linux operating system, navigate to drive/ibi/WebFOCUS_BUE82/tomcat/bin and run the shutdown.sh and startup.sh utilities.
The user description on the Menu Bar in the BUE Portal, and the Email Address of this account now reflect the values retrieved by the BUE from the Active Directory.
Now that you have configured BUE to authenticate users to Active Directory, you can create BUE accounts and assign them to the appropriate groups. This can be done in two ways:
Security Center. To use the Security Center to create and assign accounts to groups, create accounts the normal way including assigning them to the desired groups. However, since you are configured for Active Directory authentication you do not need to assign passwords for these users and you do not need to populate the Description and Email fields for them. As you have seen, this information will be automatically retrieved from Active Directory as each user signs in.
Import Users. To use the Import Users feature, simply define a CSV file containing one row for each user account. You can use the following file located in your BUE installation directory getting_started_sample_users.csv as a template. You can leave the password, user description and email values blank but you need to preserve the same number commas in the file to properly delimit all the required fields. You can adjust the group membership data in the CSV for each user account to suit your requirements or you can leave it blank and assign users in Security Center. The file should contain only data rows with the required number of commas on each row and contain no blank lines. Here is an example:
user1, , , ,ACTIVE,
user2, , , ,ACTIVE,Getting_Started/Developers;Retail_Samples/AdvancedUsers